Featured Slideshow

In a Dallas courtroom on Thursday, writer and activist Barrett Brown was sentenced to 63 months in prison and was ordered to pay a little more than $890,000 in restitution and fines, according to reports.

Featured Spotlight

For the security industry, the tide is shifting. Executives and boards are recognizing future ROI benefits in beefing up security when alerted to the potential of a three to five percent sales decline following a data breach.

Known bugs could be to blame for zombie alert prank

When regular programming for four television stations was briefly interrupted Monday night by an emergency alert warning that there were "dead bodies rising," there's little doubt viewers in Montana and Michigan were surprised, if not frightened.

But had any researchers from security services company IOActive been watching, they probably would have let out a big yawn.

That's not to say the IOActive team is adept at handling zombies. Instead, their calmness would be due to the fact that they've known for some time that devices used to disseminate messages from the national Emergency Alert System (EAS) are vulnerable to compromise and, hence, pranks.

As it turned out, the approximately 30-second alert that reached viewers of three Michigan TV stations and one in Montana was a hoax. There were, in fact, no "dead bodies rising from the grave and attacking the living," as the message said. There was no need to heed the message's warning to "not attempt to approach or apprehend these bodies as they are extremely dangerous."

Cesar Cerrudo, the CTO of IOActive Labs, told SCMagazine.com in an email Wednesday that researchers at his firm contacted the U.S. Computer Emergency Readiness Team (US-CERT) about a month ago to report the bugs.

"The vulnerabilities allow attackers remote compromising of the devices and could let them broadcast EAS messages," he said. "Since these devices are widely used and we found some devices directly connected to the internet, we think that it's possible that hackers are currently exploiting some of these vulnerabilities."

Cerrudo would not name the devices or affected vendor, but he's hopeful the vulnerabilities will soon be fixed and not leveraged to cast warnings of incidents that might be more believable to a trusting and panicky public, such as a terrorist attack.

Cynthia Thompson, station manager at two of the affected stations – WBUP (ABC-10) and WBKP (CW-5), based in Marquette County, Mich. – confirmed the incidents were the work of hackers.

'It has been determined that a 'backdoor' attack allowed the hacker to access the security of the EAS equipment," she wrote in a Tuesday blog post.

A spokesman for the Federal Communications Commission, which regulates the EAS, could not be reached for comment. But the agency reportedly issued an advisory (PDF) to EAS participants, recommending they ensure their devices are protected.

UPDATE: An FCC spokeswoman referred SCMagazine.com to a representative for the Federal Emergency Management Agency (FEMA), who did not immediately respond.

SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.